PHP :: Bug #49444 :: $

Bug #49444	$_GET variable
Submitted:	2009-09-02 16:07 UTC	Modified:	2009-09-03 12:56 UTC
From:	hafizanil at gmail dot com	Assigned:
Status:	Not a bug	Package:	Scripting Engine problem
PHP Version:	5.3.0	OS:	Windows Xp
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	hafizanil at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2009-09-02 16:07 UTC] hafizanil at gmail dot com

Description:
------------
Want to sent variable via javascript via $_GET method and the output going hirewire.The varible sent also been escape first(javascript).Tested using 5.29 and 5.3
Browser 1.Internet Explorer 7
        2 Firefox 3.52
        3. Opera 10    

Reproduce code:
---------------
This is  tested 5.29
[code]
$_GET['to']="admin (sit: mr chang n mr sairi n mr pzan) <kambing@gmail.com>,";
echo strlen($_GET['to'])
// out put 63
 var_dump($_GET);
// output only showing admin (sit: mr chang n mr sairi n mr pzan) 
[/code]
This is tested 5.30
[code]
$_GET['to']="admin (sit: mr chang n mr sairi n mr pzan) <kambing@gmail.com>,";
echo strlen($_GET['to'])
// out put 63
 var_dump($_GET);
//output :Page going crazy.show all the php source
[/code]

Expected result:
----------------
var_dump or print_r $_GET array should understand the variable which might contain "<>";


Actual result:
--------------
On 5.3 It show all the source php .

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-09-02 19:11 UTC] jani@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

[2009-09-03 01:16 UTC] hafizanil at gmail dot com

Javascript (Page 1)
<script language="javascript">
 function sentMail() {
   var url;
   var to;
   url   = 'ml_compose_com.php?';
   document.form.title.value='admin (sit: mr chang n mr sairi n mr pzan)
<kambing@gmail.com>,';
   title = escape(document.form.title.value);
   if(title) 	{ url= url+'&title='+ title; }
   location = url+"&sent_mail=1";
  }
</script>

Page 2 (ml_compose_com.php)
<?php 
echo "<pre>".print_r($_GET)."</pre>";
var_dump($_GET);
?>

[2009-09-03 09:39 UTC] sjoerd@php.net

Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.

[2009-09-03 11:13 UTC] mike@php.net

JS treats literal new lines as delimiter.

[2009-09-03 12:56 UTC] hafizanil at gmail dot com

Thesolution i try is to split the string in js first
[code]
 to_array 		= to.split("<");
[/code]
Then send back to php as reference.Bug still consider as a bug.
E.g Again

address bar : test.php?mail=admin (sit: mr chang n mr sairi n mr pzan)
<kambing@gmail.com>
[code]
<?php 
echo "<pre>";
echo print_r($_GET);
echo "</pre>";
?>
[/code]

Output 

Array
(
    [mail] => admin (sit: mr chang n mr sairi n mr pzan)
)
1
Image :http://img512.imageshack.us/img512/9974/bugso.jpg

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Jun 01 08:01:32 2024 UTC